New installation of FC5 with strict policy

Stefan stefan at sf-net.com
Tue Jun 13 13:22:55 UTC 2006 

Hi,

I did a fresh installation of FC5 and upgraded to the strict policy.  
After creating a new user via "adduser" I get the following avc  
denials when I try to login via ssh.

audit(1150198407.761:2862): security_compute_sid:  invalid context  
staff_u:system_r:sshd_t:s0 for scontext=staff_u:system_r:sshd_t:s0  
tcontext=system_u:object_r:sshd_exec_t:s0 tclass=process
audit(1150198411.552:2863): avc:  denied  { getattr } for  pid=3717  
comm="sshd" name="stefan" dev=hda2 ino=58667  
scontext=staff_u:system_r:sshd_t:s0  
tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
audit(1150198411.624:2864): security_compute_sid:  invalid context  
staff_u:system_r:sshd_t:s0 for scontext=staff_u:system_r:sshd_t:s0  
tcontext=system_u:object_r:shell_exec_t:s0 tclass=process
audit(1150198411.624:2865): avc:  denied  { execute_no_trans } for   
pid=3721 comm="sshd" name="bash" dev=hda2 ino=29283  
scontext=staff_u:system_r:sshd_t:s0  
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
audit(1150198411.628:2866): avc:  denied  { execute } for  pid=3721  
comm="bash" name="id" dev=hda7 ino=1846199  
scontext=staff_u:system_r:sshd_t:s0  
tcontext=system_u:object_r:bin_t:s0 tclass=file
audit(1150198411.628:2867): avc:  denied  { read } for  pid=3722  
comm="bash" name="id" dev=hda7 ino=1846199  
scontext=staff_u:system_r:sshd_t:s0  
tcontext=system_u:object_r:bin_t:s0 tclass=file
audit(1150198411.628:2868): security_compute_sid:  invalid context  
staff_u:system_r:sshd_t:s0 for scontext=staff_u:system_r:sshd_t:s0  
tcontext=system_u:object_r:bin_t:s0 tclass=process
audit(1150198411.628:2869): avc:  denied  { execute_no_trans } for   
pid=3723 comm="bash" name="id" dev=hda7 ino=1846199  
scontext=staff_u:system_r:sshd_t:s0  
tcontext=system_u:object_r:bin_t:s0 tclass=file
audit(1150198411.632:2870): avc:  denied  { execute } for  pid=3725  
comm="bash" name="hostname" dev=hda2 ino=29286  
scontext=staff_u:system_r:sshd_t:s0  
tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
audit(1150198411.632:2871): security_compute_sid:  invalid context  
staff_u:system_r:sshd_t:s0 for scontext=staff_u:system_r:sshd_t:s0  
tcontext=system_u:object_r:hostname_exec_t:s0 tclass=process
audit(1150198411.632:2872): avc:  denied  { execute_no_trans } for   
pid=3725 comm="bash" name="hostname" dev=hda2 ino=29286  
scontext=staff_u:system_r:sshd_t:s0  
tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
audit(1150198411.632:2873): avc:  denied  { read } for  pid=3725  
comm="bash" name="hostname" dev=hda2 ino=29286  
scontext=staff_u:system_r:sshd_t:s0  
tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
audit(1150198411.636:2874): avc:  denied  { execute } for  pid=3721  
comm="bash" name="colorls.sh" dev=hda2 ino=175700  
scontext=staff_u:system_r:sshd_t:s0  
tcontext=system_u:object_r:etc_t:s0 tclass=file
audit(1150198411.636:2875): security_compute_sid:  invalid context  
staff_u:system_r:sshd_t:s0 for scontext=staff_u:system_r:sshd_t:s0  
tcontext=system_u:object_r:bin_t:s0 tclass=process
audit(1150198411.640:2876): avc:  denied  { read } for  pid=3721  
comm="bash" name="stefan" dev=hda2 ino=58667  
scontext=staff_u:system_r:sshd_t:s0  
tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
audit(1150198411.640:2877): security_compute_sid:  invalid context  
staff_u:system_r:sshd_t:s0 for scontext=staff_u:system_r:sshd_t:s0  
tcontext=system_u:object_r:bin_t:s0 tclass=process
audit(1150198411.644:2878): security_compute_sid:  invalid context  
staff_u:system_r:sshd_t:s0 for scontext=staff_u:system_r:sshd_t:s0  
tcontext=system_u:object_r:bin_t:s0 tclass=process
audit(1150198411.644:2879): security_compute_sid:  invalid context  
staff_u:system_r:sshd_t:s0 for scontext=staff_u:system_r:sshd_t:s0  
tcontext=system_u:object_r:bin_t:s0 tclass=process
audit(1150198411.648:2880): security_compute_sid:  invalid context  
staff_u:system_r:sshd_t:s0 for scontext=staff_u:system_r:sshd_t:s0  
tcontext=system_u:object_r:bin_t:s0 tclass=process
audit(1150198411.652:2881): avc:  denied  { read } for  pid=3721  
comm="bash" name=".bash_profile" dev=hda2 ino=58595  
scontext=staff_u:system_r:sshd_t:s0  
tcontext=user_u:object_r:user_home_t:s0 tclass=file
audit(1150198411.652:2882): avc:  denied  { getattr } for  pid=3721  
comm="bash" name=".bash_profile" dev=hda2 ino=58595  
scontext=staff_u:system_r:sshd_t:s0  
tcontext=user_u:object_r:user_home_t:s0 tclass=file
audit(1150198411.656:2883): security_compute_sid:  invalid context  
staff_u:system_r:sshd_t:s0 for scontext=staff_u:system_r:sshd_t:s0  
tcontext=system_u:object_r:bin_t:s0 tclass=process
audit(1150198411.660:2884): security_compute_sid:  invalid context  
staff_u:system_r:sshd_t:s0 for scontext=staff_u:system_r:sshd_t:s0  
tcontext=system_u:object_r:bin_t:s0 tclass=process

I know that the strict policy is quiet not perfect but I thought a  
ssh login should went fine, shouldn't it? My question is, is this the  
default behaviour or did I something wrong? I get also a lot of avc  
denials after a reboot with the strict policy. Shouldn't the strict  
policy work quiet fine with a default installation (I know it's not  
perfect but ... ;-))?

Best regards,
Stefan

More information about the fedora-selinux-list mailing list